Flare-On 9

[Extreme Coders]

33 minutes ago, AeroX2 said:

Also working on ch8 and would appreciate any assistance.

Spoiler

Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help.

 

 

[Canlex]

3 hours ago, Extreme Coders said:

  Reveal hidden contents

Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help.

 

 

Spoiler

I can see that some sections are getting decrypted with RC4 with a constant key, (flared46 method) but just changing those sections doesn't give me anything, seems I'm missing some metadata or something.

 

[_no_clue]

Any chance I could get a pointer in the right direction for challenge 6? 

Hitting a brick wall. 

Spoiler

seems like some pipe interaction is needed. However setting up a server did nothing

 

[Extreme Coders]

@Canlex

Spoiler

Check out which section contributes to the large size of the binary and where it is referenced from the code.

 

[Canlex]

2 hours ago, Extreme Coders said:

@Canlex

  Hide contents

Check out which section contributes to the large size of the binary and where it is referenced from the code.

 

Spoiler

I found the section in question but I really searched hard and couldn't find where it is referenced from. unsure where to put my breakpoint to figure that out.
I did however find that it uses the function tokens to generate the functions themselves, and each section (maybe not the one in question) corresponds to a function.

 

Edited October 12, 2022 by Canlex
Spoiler tags

[deepzero]

@_no_clue

Spoiler

Setting up your own pipe is the wrong path. Keep studying the large executable. 6 is considerably simpler than 5 imo.

 

[cybercat]

CH#8.

Can someone tell me is it possible to edit signature of method in DNSpy? I would like to use hex values to edit somehow the sig, but i do not know how can i do it. How can i find the signature bytes of method in DNSpy?

I got the bytes from dynamic method, pasted it into binary, but i think i have to do something with the signatures also, because after patching i do not get enter into 'decrypted' methods. Should i do something with signatures of methods?

Thanks for any hint.

 

 

Edited October 13, 2022 by cybercat

[vpn]

Hi, could someone give me a hint on ch3 pls?

[Extreme Coders]

16 hours ago, cybercat said:

CH#8.

Spoiler

You can't paste the instruction bytes as-is from the generated dynamic methods to the original method.

 

13 hours ago, vpn said:

Hi, could someone give me a hint on ch3 pls?

Spoiler

Shake the magic8ball in a specific way.

 

[er3zoid]

On 10/14/2022 at 8:37 AM, Extreme Coders said:

  Reveal hidden contents

You can't paste the instruction bytes as-is from the generated dynamic methods to the original method.

  Reveal hidden contents

Shake the magic8ball in a specific way.

 

Spoiler

Could you point me to a resource to understand how the the tokens referenced in the IL code differ between memory and disk?  I've tried looking into the ECMA spec but i haven't found anything regarding this translation in detail.

 

Edited October 26, 2022 by er3zoid
removed wrong assumptions

[deepzero]

Spoiler

Study the documentation of DynamicILInfo and DynamicMethod

@er3zoid

[Neo123]

I am stuck on challenge 7. Any help is appreciated. This is what I did:

Spoiler

Extracted the overlay from the .exe. Slightly modified the extracted overlay script so that it will run with nodejs installation and chrome dev. There was a if condition that always throws error. So, I removed it. I removed the switch statement and cases. From here I tried several ways:
1. I tried to remove all the math.random cases and checked the output. couldn't figure out anything.
2. Tried without removing the math.random cases and checked the output. The output is random always as expected. couldn't figure anything.
Also the output from the script and the actual .exe is different with same input. I think there is problem with my approach and could n't figure what is wrong.

 

[vpn]

I've been stuck with this challenge 4. :3

[Washi]

@Neo123

Spoiler

10 hours ago, Neo123 said:

Also the output from the script and the actual .exe is different with same input

Then we must conclude that something is going on in the executable that makes the script behave differently from within the executable.

 

[qpor]

For ch#8:

Spoiler

I got to successfully decode the first few methods. 

• The program keeps looping though under the dnSpy debugger. Feels a bit like anti-debugging. Any resources to read up here?
• If I  replace e.g. flared_67 with the decoded body, and try to run the modified program, I always get an exception: "System.InvalidProgramException: Common Language Runtime detected an invalid program". I'm pretty confident the method is decoded correctly, as I get correct C# in dnSpy for it.

Would really appreciate any pointers to resourced to read up on. Thanks

[kao]

@qpor:

Spoiler

2 hours ago, qpor said:

Feels a bit like anti-debugging

I believe it's just extremely slow due to all the exceptions. I guess you could call that "anti-debugging"

2 hours ago, qpor said:

Feels a bit like anti-debugging

I can think of 2 possibilities:

• your decoded IL is wrong. DnSpy tries to decompile even invalid IL - and quite often succeeds. I would check your method with ildasm and peverify.
• the way you replace the method body is wrong. For example, you might have messed up tokens of all other methods.

Edited October 16, 2022 by kao

[AeroX2]

On 10/12/2022 at 7:14 PM, Extreme Coders said:

  Hide contents

Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help.

 

 

Thanks this helped me considerably, I think I have a rough idea of what the program is doing and I'm getting somewhere, hopefully...

Quick question around Dnspy

Spoiler

 Any idea why Dnspy doesn't decompile FLARE05 _DoTask function it seems that Dnspy can resolve the MDtokens and it doesn't seem obfuscated unlike the flared_* functions.

 

[Extreme Coders]

@AeroX2

Spoiler

If done correctly dnspy should be able to decompile.
If done incorrectly the MDtokens may still resolve to something but that would not necessarily be correct.
Perhaps going through the #US heap may help.

 

[cybercat]

//deleted

Edited October 16, 2022 by cybercat

[Neo123]

On 10/16/2022 at 1:24 PM, Washi said:

@Neo123

  Hide contents

Then we must conclude that something is going on in the executable that makes the script behave differently from within the executable.

 

Spoiler

I tried debugging the .exe but it has too many functions and I am not exactly familiar with how node.exe embeds and runs a .js script file in memory. As far as I know, all interpreted scripts are converted into some intermediate instructions but I am not able to pin point the exact function that does that. Any specific thing that I should look for or any specific debugging tool that makes it easier?

 

[Washi]

@Neo123

Spoiler

You don't really have to know exactly how node.exe works and runs the Javascript to get to know and work around the changes that were made.

 

[cybercat]

Hello again,

Guys, Can you tell me should i do something with Signatures. For example i think that i have decoded flared_66 but DNSpy does not decompile it correctly. When i look at the IL dump, code looks fine for me. 

I do the same thing for other flared functions but only 2 or 3 are decompiling correctly.

Let's say that i am copying bytes and patch the assembly.
FLARED_70
FLARED_66
FLARED_69
FLARED_35
FLARED_47
FLARED_67
FLARED_68 

After patch Two of them looks ok in DNSpy and decompile them correctly, but others are not OK for DNSpy. What is the difference between those two and others which are not working. ( decompilation fails.)

As an example Flared_66 is not decompiled correctly. I am trying to do patching of Signatures/Headers but with no luck. Should i touch them?

Do i need to patch also Signatures related with LocalVarSigHelper? Is it possible that methods which are decompiled OK is just a luck that other things are matching in original EXE and patched version.?

Where should i look? What to patch?

Why i can't just only copy bytes? 

If i have signature in bytes array, where should i put it? Is it possible in DNspy to easily insert this signature to method?

When you decode few methods, should the execution go into those Flared methods? I am asking because even if i decode one method program do not enter into it and it catches the exception and go to resolver method.

Thanks for any help. This task is above my skills at the moment, but i don't know what should i learn to move a little forward.

 

 

Edited October 19, 2022 by cybercat

[deepzero]

> I am asking because even if i decode one method program do not enter into it and it catches the exception and go to resolver method.

Spoiler

Then you have not decoded them correctly. There is no need to mess with "signatures". Look at what the resolver method does, what it patches in the bytecode it executes dynamically.

 

[kiyo]

Ch09 I would appreciate advices to proceed.. 

Spoiler

I could understand the components (I haven't identify how some of them should  be used) in the encrypted file through analyzing the binary. 

Now I need a key and other some factors to decrypt what we want. However they are encrypted by other algorithm like a general ransomware.

The algorithm seems to be asymmetric but I haven't been able to find a clue how to proceed. 

 

 

[kao]

@kiyo:

Spoiler

1 hour ago, kiyo said:

The algorithm seems to be asymmetric

Figure out which algorithm it is and then find a bug in the implementation.